standard_id 0.1.0 → 0.1.2

data/app/models/standard_id/identifier.rb

@@ -10,6 +10,8 @@ module StandardId
     # Shared validations
     validates :value, presence: true, uniqueness: { scope: [:account_id, :type] }
 
+    after_commit :mark_account_verified!, on: :update, if: :just_verified?
+
     def verified?
       verified_at.present?
     end
@@ -21,5 +23,20 @@ module StandardId
     def unverify!
       update!(verified_at: nil)
     end
+
+    private
+
+    def just_verified?
+      saved_change_to_verified_at? && verified_at.present?
+    end
+
+    def mark_account_verified!
+      return if account.nil?
+
+      return unless account.has_attribute?(:verified)
+      return unless account.has_attribute?(:verified_at)
+
+      account.update!(verified: true, verified_at: Time.current)
+    end
   end
 end

data/app/models/standard_id/phone_number_identifier.rb

@@ -1,5 +1,7 @@
 module StandardId
   class PhoneNumberIdentifier < Identifier
+    normalizes :value, with: ->(p) { p.strip }
+
     validates :value, format: { with: /\A\+?[1-9]\d{1,14}\z/ }
   end
 end

data/app/models/standard_id/username_identifier.rb

@@ -1,5 +1,7 @@
 module StandardId
   class UsernameIdentifier < Identifier
+    normalizes :value, with: ->(u) { u.strip }
+
     validates :value, format: { with: /\A[a-zA-Z0-9_]+\z/ }
   end
 end

data/config/routes/web.rb

@@ -19,6 +19,18 @@ StandardId::WebEngine.routes.draw do
       resource :confirm, only: [:show, :update], controller: :confirm
     end
 
+    # Identifier verification (email)
+    namespace :verify_email do
+      resource :start, only: [:show, :create], controller: :start
+      resource :confirm, only: [:show, :update], controller: :confirm
+    end
+
+    # Identifier verification (phone)
+    namespace :verify_phone do
+      resource :start, only: [:show, :create], controller: :start
+      resource :confirm, only: [:show, :update], controller: :confirm
+    end
+
     # Account management
     resource :account, only: [:show, :edit, :update], controller: :account
     resources :sessions, only: [:index, :destroy], controller: :sessions

data/db/migrate/20250830000000_create_standard_id_client_applications.rb

@@ -1,8 +1,8 @@
 class CreateStandardIdClientApplications < ActiveRecord::Migration[7.1]
   def change
-    create_table :standard_id_client_applications do |t|
+    create_table :standard_id_client_applications, id: primary_key_type do |t|
       # Polymorphic owner association (Account, Organization, etc.)
-      t.references :owner, null: false, polymorphic: true, index: true
+      t.references :owner, type: primary_key_type, null: false, polymorphic: true, index: true
 
       # Basic client information
       t.string :name, null: false
@@ -50,7 +50,7 @@ class CreateStandardIdClientApplications < ActiveRecord::Migration[7.1]
     end
 
     if connection.adapter_name.downcase.include?("postgres")
-      add_index :standard_id_clients, :metadata, using: :gin
+      add_index :standard_id_client_applications, :metadata, if_not_exists: true, using: :gin
     end
   end
 end

data/db/migrate/20250830232800_create_standard_id_identifiers.rb

@@ -1,7 +1,7 @@
 class CreateStandardIdIdentifiers < ActiveRecord::Migration[8.0]
   def change
     create_table :standard_id_identifiers, id: primary_key_type do |t|
-      t.references :account, null: false, foreign_key: { to_table: StandardId.config.account_class.table_name }, index: true
+      t.references :account, type: primary_key_type, null: false, foreign_key: { to_table: StandardId.account_class.table_name }, index: true
 
       t.string :type, null: false
 

data/db/migrate/20250831075703_create_standard_id_credentials.rb

@@ -1,8 +1,8 @@
 class CreateStandardIdCredentials < ActiveRecord::Migration[8.0]
   def change
     create_table :standard_id_credentials, id: primary_key_type do |t|
-      t.references :identifier, null: false, foreign_key: { to_table: :standard_id_identifiers }, index: true
-      t.references :credentialable, null: false, polymorphic: true, index: true
+      t.references :identifier, type: primary_key_type, null: false, foreign_key: { to_table: :standard_id_identifiers }, index: true
+      t.references :credentialable, type: primary_key_type, null: false, polymorphic: true, index: true
 
       t.timestamps
     end

data/db/migrate/20250831154635_create_standard_id_sessions.rb

@@ -1,7 +1,7 @@
 class CreateStandardIdSessions < ActiveRecord::Migration[8.0]
   def change
     create_table :standard_id_sessions, id: primary_key_type do |t|
-      t.references :account, null: false, foreign_key: true, index: true
+      t.references :account, type: primary_key_type, null: false, foreign_key: true, index: true
 
       # STI type column
       t.string :type, null: false, index: true
@@ -29,7 +29,7 @@ class CreateStandardIdSessions < ActiveRecord::Migration[8.0]
       t.datetime :last_refreshed_at
 
       # ServiceSession columns
-      t.references :owner, polymorphic: true, null: true, index: true
+      t.references :owner, type: primary_key_type, polymorphic: true, null: true, index: true
       t.string :service_name
       t.string :service_version
 

data/db/migrate/20250901134520_create_standard_id_client_secret_credentials.rb

@@ -1,9 +1,9 @@
 class CreateStandardIdClientSecretCredentials < ActiveRecord::Migration[7.1]
   def change
-    create_table :standard_id_client_secret_credentials do |t|
+    create_table :standard_id_client_secret_credentials, id: primary_key_type do |t|
       t.string :name, null: false
 
-      t.references :client_application, null: false, foreign_key: { to_table: :standard_id_client_applications }, index: true
+      t.references :client_application, type: primary_key_type, null: false, foreign_key: { to_table: :standard_id_client_applications }, index: true
 
       t.string :client_id, null: false, index: true # Denormalized for performance
       t.string :client_secret_digest, null: false

data/db/migrate/20250907090000_create_standard_id_code_challenges.rb

@@ -0,0 +1,29 @@
+class CreateStandardIdCodeChallenges < ActiveRecord::Migration[8.0]
+  def change
+    create_table :standard_id_code_challenges, id: primary_key_type do |t|
+      t.string :realm, null: false         # e.g., authentication, verification
+      t.string :channel, null: false       # e.g., email, sms
+      t.string :target, null: false        # recipient address (email/phone), normalized by caller
+      t.string :code, null: false
+
+      t.datetime :expires_at, null: false
+      t.datetime :used_at
+
+      t.string :ip_address
+      t.text :user_agent
+
+      if connection.adapter_name.downcase.include?("postgres")
+        t.jsonb :metadata, default: {}, null: false
+        t.index :metadata, using: :gin
+      else
+        t.json :metadata, default: {}, null: false
+      end
+
+      t.timestamps
+    end
+
+    add_index :standard_id_code_challenges, [:realm, :channel, :target, :code], name: "index_code_challenges_on_lookup"
+    add_index :standard_id_code_challenges, :expires_at
+    add_index :standard_id_code_challenges, :used_at
+  end
+end

data/lib/generators/standard_id/install/templates/standard_id.rb

@@ -2,10 +2,43 @@
 # Generated by: rails g standard_id:install
 
 StandardId.configure do |c|
-  # Set to the String name of your account model (e.g., "User" or "Account")
+  # Base configuration (account model, infrastructure settings)
   c.account_class_name = "User"
-
-  # Optional: customize cache store and logger used internally by StandardId
   # c.cache_store = Rails.cache
   # c.logger = Rails.logger
+  # c.web_layout = "application"
+  # c.passwordless_email_sender = ->(email, code) { PasswordlessMailer.with(code: code, to: email).deliver_later }
+  # c.passwordless_sms_sender   = ->(phone, code) { SmsProvider.send_code(phone: phone, code: code) }
+
+  # Configuration subsets (creates static OpenStruct objects)
+  # c.passwordless.code_ttl = 600 # 10 minutes
+  # c.passwordless.max_attempts = 3
+  # c.password.minimum_length = 8
+  # c.password.require_special_chars = true
+  # c.oauth.default_token_lifetime = 3600 # 1 hour
+  # c.oauth.refresh_token_lifetime = 2_592_000 # 30 days
+  # c.oauth.token_lifetimes = {
+  #   password: 8.hours,
+  #   client_credentials: 24.hours
+  # }
+
+  # Social login credentials (if enabled in your app)
+  # c.social.google_client_id     = ENV["GOOGLE_CLIENT_ID"]
+  # c.social.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
+  # c.social.apple_client_id      = ENV["APPLE_CLIENT_ID"]
+  # c.social.apple_private_key    = ENV["APPLE_PRIVATE_KEY"]
+  # c.social.apple_key_id         = ENV["APPLE_KEY_ID"]
+  # c.social.apple_team_id        = ENV["APPLE_TEAM_ID"]
+
+  # OIDC Logout allow list
+  # c.allowed_post_logout_redirect_uris = [
+  #   "https://app.example.com/logged_out",
+  #   "https://admin.example.com/signout"
+  # ]
 end
+
+# Notes:
+# - All configuration scopes and fields are defined via the schema DSL
+#   in: lib/standard_id/config/schema.rb
+# - Values are automatically cast to the correct type (string, integer, boolean, etc.)
+# - Invalid scopes or fields will raise ArgumentError with helpful messages

data/lib/{standard_id → standard_config}/config.rb

@@ -1,4 +1,4 @@
-module StandardId
+module StandardConfig
   # Manages configuration for the StandardId engine
   #
   # Usage:

data/lib/standard_config/config_provider.rb

@@ -0,0 +1,82 @@
+require "ostruct"
+
+module StandardConfig
+  class ConfigProvider
+    def initialize(scope_name, resolver_proc, schema = nil)
+      @scope_name = scope_name
+      @resolver_proc = resolver_proc
+      @schema = schema
+    end
+
+    def method_missing(method_name, *args)
+      if method_name.to_s.end_with?('=')
+        # Setter - only works for static configs (OpenStruct objects)
+        field_name = method_name.to_s.chomp('=').to_sym
+        validate_field!(field_name)
+
+        config_object = @resolver_proc.call
+        if config_object.respond_to?(method_name)
+          config_object.send(method_name, args.first)
+        elsif config_object.respond_to?(:[]=)
+          # Support hash-like providers
+          value = args.first
+          config_object[field_name] = value
+          # Also set string key for convenience if symbol not used by provider
+          begin
+            config_object[field_name.to_s] = value
+          rescue StandardError
+            # ignore if provider doesn't accept string keys
+          end
+        else
+          raise NoMethodError, "Configuration object doesn't support setting #{field_name}"
+        end
+      else
+        # Getter
+        get_field(method_name)
+      end
+    end
+
+    def get_field(field_name)
+      validate_field!(field_name)
+
+      config_object = @resolver_proc.call
+      raw_value = if config_object.respond_to?(field_name)
+                    config_object.send(field_name)
+                  elsif config_object.respond_to?(:[])
+                    config_object[field_name] || config_object[field_name.to_s]
+                  else
+                    nil
+                  end
+
+      # Cast the value according to schema
+      field_def = @schema&.field_definition(@scope_name, field_name)
+      return raw_value unless field_def
+
+      casted = @schema&.cast_value(raw_value, field_def.type) || raw_value
+      # Return dup for mutable structures to prevent accidental mutation of shared defaults
+      if casted.is_a?(Array)
+        casted.dup
+      elsif casted.is_a?(Hash)
+        casted.dup
+      else
+        casted
+      end
+    end
+
+    def respond_to_missing?(method_name, include_private = false)
+      field_name = method_name.to_s.end_with?('=') ? method_name.to_s.chomp('=').to_sym : method_name.to_sym
+      @schema&.valid_field?(@scope_name, field_name) || super
+    end
+
+    private
+
+    def validate_field!(field_name)
+      return unless @schema # Skip validation if no schema provided
+
+      unless @schema.valid_field?(@scope_name, field_name)
+        valid_fields = @schema.scopes[@scope_name]&.fields&.keys || []
+        raise ArgumentError, "Unknown field '#{field_name}' for scope '#{@scope_name}'. Valid fields: #{valid_fields}"
+      end
+    end
+  end
+end

data/lib/standard_config/manager.rb

@@ -0,0 +1,86 @@
+require "ostruct"
+require "standard_config/config_provider"
+
+module StandardConfig
+  class Manager
+    def initialize(schema)
+      @schema = schema
+      @providers = {}
+    end
+
+    # Register a configuration provider for a scope
+    def register(scope_name, resolver_proc)
+      scope_name = scope_name.to_sym
+
+      # Validate scope exists in schema
+      unless @schema.valid_scope?(scope_name)
+        raise ArgumentError, "Unknown configuration scope: #{scope_name}. Valid scopes: #{@schema.scopes.keys}"
+      end
+
+      @providers[scope_name] = ConfigProvider.new(scope_name, resolver_proc, @schema)
+      self
+    end
+
+    def registered?(scope_name)
+      @providers.key?(scope_name.to_sym)
+    end
+
+    # Access configuration scopes via method calls
+    def method_missing(method_name, *args)
+      method_str = method_name.to_s
+      scope_name = method_str.end_with?("=") ? method_str.chomp("=").to_sym : method_name.to_sym
+
+      # Handle field setter via unique scope resolution
+      if method_str.end_with?("=")
+        field = scope_name
+        scopes = @schema.scopes_with_field(field)
+        if scopes.size == 1
+          s = scopes.first
+          register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
+          @providers[s].public_send(method_name, *args)
+          return args.first
+        end
+      end
+
+      # Handle field getter via unique scope resolution
+      scopes = @schema.scopes_with_field(scope_name)
+      if scopes.size == 1
+        s = scopes.first
+        register(s, -> { create_static_config_for_scope(s) }) unless @providers.key?(s)
+        return @providers[s].get_field(scope_name)
+      end
+
+      # Handle scope access
+      if @providers.key?(scope_name)
+        return @providers[scope_name]
+      end
+
+      # Create static provider for valid scopes on first access
+      if @schema.valid_scope?(scope_name)
+        register(scope_name, -> { create_static_config_for_scope(scope_name) })
+        return @providers[scope_name]
+      end
+
+      super
+    end
+
+    def respond_to_missing?(method_name, include_private = false)
+      method_str = method_name.to_s
+      scope_name = method_str.end_with?("=") ? method_str.chomp("=").to_sym : method_name.to_sym
+      @schema.valid_scope?(scope_name) ||
+        @schema.scopes_with_field(scope_name).any? ||
+        super
+    end
+
+    private
+
+    def create_static_config_for_scope(scope_name)
+      @static_configs ||= {}
+      @static_configs[scope_name] ||= OpenStruct.new.tap do |config|
+        @schema.scopes[scope_name].fields.each do |field_name, field_def|
+          config.send("#{field_name}=", field_def.default_value)
+        end
+      end
+    end
+  end
+end

data/lib/standard_config/schema.rb

@@ -0,0 +1,137 @@
+module StandardConfig
+  class Schema
+    def initialize
+      @scopes = {}
+    end
+
+    # DSL entry
+    def draw(&block)
+      Drawer.new(self).instance_eval(&block) if block_given?
+      self
+    end
+
+    def scopes
+      @scopes
+    end
+
+    def scope(name, &block)
+      name_sym = name.to_sym
+      builder = scopes[name_sym] ||= ScopeBuilder.new(name_sym)
+      builder.instance_eval(&block) if block_given?
+      builder
+    end
+
+    def valid_scope?(name)
+      scopes.key?(name.to_sym)
+    end
+
+    def valid_field?(scope_name, field_name)
+      return false unless valid_scope?(scope_name)
+      scopes[scope_name.to_sym].fields.key?(field_name.to_sym)
+    end
+
+    def field_definition(scope_name, field_name)
+      return nil unless valid_scope?(scope_name)
+      scopes[scope_name.to_sym].fields[field_name.to_sym]
+    end
+
+    # Return an array of scope names that define the given field
+    def scopes_with_field(field_name)
+      scopes.keys.select { |s| scopes[s].fields.key?(field_name.to_sym) }
+    end
+
+    def cast_value(value, type)
+      return value if value.nil?
+
+      case type
+      when :any
+        value
+      when :string
+        value.to_s
+      when :integer
+        value.to_i
+      when :float
+        value.to_f
+      when :boolean
+        case value
+        when true, false then value
+        when 'true', '1', 1 then true
+        when 'false', '0', 0 then false
+        else !!value
+        end
+      when :array
+        Array(value)
+      when :hash
+        value.is_a?(Hash) ? value : {}
+      else
+        value
+      end
+    end
+
+    class ScopeBuilder
+      attr_reader :name, :fields
+
+      def initialize(name)
+        @name = name.to_sym
+        @fields = {}
+      end
+
+      def field(name, type: :string, default: nil, readonly: false)
+        key = name.to_sym
+        if @fields.key?(key)
+          Kernel.warn("[StandardId::Configuration] Redefining field '#{key}' in scope '#{@name}'. Last definition wins.")
+        end
+        @fields[key] = FieldDefinition.new(name, type: type, default: default, readonly: readonly)
+      end
+    end
+
+    class FieldDefinition
+      attr_reader :name, :type, :default, :readonly
+
+      def initialize(name, type: :string, default: nil, readonly: false)
+        @name = name.to_sym
+        @type = type
+        @default = default
+        @readonly = readonly
+      end
+
+      def default_value
+        if @default.respond_to?(:call)
+          @default.call
+        elsif @default.is_a?(Array)
+          @default.dup
+        else
+          @default
+        end
+      end
+    end
+
+    # Internal DSL driver
+    class Drawer
+      def initialize(schema)
+        @schema = schema
+      end
+
+      # scope :base do ... end OR scope :passwordless do ... end
+      def scope(name, &block)
+        name_sym = name.to_sym
+        # Ensure scope exists, then evaluate the block in a scoped context
+        @schema.scope(name_sym)
+        ScopedScope.new(@schema, name_sym).instance_eval(&block) if block_given?
+      end
+    end
+
+    class ScopedScope
+      def initialize(schema, scope_name)
+        @schema = schema
+        @scope_name = scope_name
+      end
+
+      def field(name, type: :string, default: nil, readonly: false)
+        # Add field to the last declared scope by using ScopeBuilder within @schema.scope
+        # This method will be called inside Schema.scope block via Drawer
+        @schema.scopes[@scope_name].field(name, type: type, default: default, readonly: readonly)
+      end
+    end
+  end
+end

data/lib/standard_config.rb

@@ -0,0 +1,38 @@
+require "standard_config/config"
+require "standard_config/config_provider"
+require "standard_config/manager"
+require "standard_config/schema"
+
+module StandardConfig
+  class << self
+    def schema
+      @schema ||= Schema.new
+    end
+
+    def configure(&block)
+      config.register(:base, block) unless config.registered?(:base) if block_given? && block.arity == 0
+
+      yield config if block_given?
+
+      config
+    end
+
+    def config
+      @manager ||= Manager.new(schema)
+    end
+
+    private
+
+    def create_default_config
+      require "ostruct"
+      static_config = OpenStruct.new
+      base_scope = schema.scopes[:base]
+      if base_scope
+        base_scope.fields.each do |field_name, field_def|
+          static_config.send("#{field_name}=", field_def.default_value)
+        end
+      end
+      static_config
+    end
+  end
+end

data/lib/standard_id/api/session_manager.rb

@@ -12,7 +12,7 @@ module StandardId
 
       def current_account
         return unless current_session
-        @current_account ||= StandardId.config.account_class.find_by(id: current_session.account_id)
+        @current_account ||= StandardId.account_class.find_by(id: current_session.account_id)
       end
 
       def revoke_current_session!

data/lib/standard_id/config/schema.rb

@@ -0,0 +1,49 @@
+# Schema definitions for StandardId
+# This file defines the configuration schema structure
+
+require "standard_config"
+
+StandardConfig.schema.draw do
+  scope :base do
+    field :account_class_name, type: :string, default: "User"
+    field :cache_store, type: :any, default: nil
+    field :logger, type: :any, default: nil
+    field :web_layout, type: :string, default: nil
+    field :passwordless_email_sender, type: :any, default: nil
+    field :passwordless_sms_sender, type: :any, default: nil
+    field :issuer, type: :string, default: nil
+    field :login_url, type: :string, default: nil
+    field :allowed_post_logout_redirect_uris, type: :array, default: []
+  end
+
+  scope :passwordless do
+    field :code_ttl, type: :integer, default: 600 # 10 minutes in seconds
+    field :max_attempts, type: :integer, default: 3
+    field :retry_delay, type: :integer, default: 30 # 30 seconds
+  end
+
+  scope :password do
+    field :minimum_length, type: :integer, default: 8
+    field :require_special_chars, type: :boolean, default: false
+    field :require_uppercase, type: :boolean, default: false
+    field :require_numbers, type: :boolean, default: false
+  end
+
+  scope :oauth do
+    field :default_token_lifetime, type: :integer, default: 3600 # 1 hour in seconds
+    field :refresh_token_lifetime, type: :integer, default: 2592000 # 30 days in seconds
+    field :token_lifetimes, type: :hash, default: -> { {} }
+    field :client_id, type: :string, default: nil
+    field :client_secret, type: :string, default: nil
+  end
+
+  scope :social do
+    field :google_client_id, type: :string, default: nil
+    field :google_client_secret, type: :string, default: nil
+    field :apple_client_id, type: :string, default: nil
+    field :apple_client_secret, type: :string, default: nil
+    field :apple_private_key, type: :string, default: nil
+    field :apple_key_id, type: :string, default: nil
+    field :apple_team_id, type: :string, default: nil
+  end
+end

data/lib/standard_id/oauth/client_credentials_flow.rb

@@ -11,7 +11,7 @@ module StandardId
       private
 
       def subject_id
-        @credential.account_id
+        @credential.client_id
       end
 
       def client_id
@@ -29,10 +29,6 @@ module StandardId
       def audience
         params[:audience]
       end
-
-      def token_expiry
-        1.hour
-      end
     end
   end
 end

data/lib/standard_id/oauth/implicit_authorization_flow.rb

@@ -68,7 +68,7 @@ module StandardId
       end
 
       def token_expiry
-        1.hour
+        TokenLifetimeResolver.access_token_for(:implicit)
       end
 
       def subject_id

data/lib/standard_id/oauth/password_flow.rb

@@ -39,10 +39,6 @@ module StandardId
         true
       end
 
-      def token_expiry
-        8.hours # Longer expiry for user sessions
-      end
-
       def authenticate_account(username, password)
         StandardId::PasswordCredential
           .includes(credential: :account)